DEFCON-31-Syscalls-Workshop. Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
765Payload-Download-Cradles. This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.
258Create-Thread-Shellcode-Fetcher. This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
257Direct-Syscalls-vs-Indirect-Syscalls. The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
242Direct-Syscalls-A-journey-from-high-to-low. Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
147HWBP-DEP-Bypass. Educational proof-of-concept demonstrating DEP/NX bypass using hardware breakpoints, vectored exception handling, and instruction emulation on Windows x64. For security research and learning purposes only.
100CS-EDR-Enumeration. Cobalt Strike Aggressor Script for identifying security products on Windows hosts — six enumeration methods rated by noise level, from silent in-process BOF to full PowerShell/WMI.
90Taskschedule-Persistence-Download-Cradles. Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged
89DSC_SVC_REMOTE. This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
55Create_Thread_Inline_Assembly_x86. This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
20Shell-we-Assembly. Shellcode execution via x86 inline assembly based on MSVC syntax
17Create_Thread-Inline_Assembly_x86_Fibers. This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers
8WinMalDev. Various methods of executing shellcode
8Ghost. Evasive shellcode loader
8Windows-Local-Privilege-Escalation-Cookbook. Windows Local Privilege Escalation Cookbook
7Conference-Slides.
7UnlinkDLL. DLL Unlinking from InLoadOrderModuleList, InMemoryOrderModuleList, InInitializationOrderModuleList, and LdrpHashTable
6NtRemoteLoad. Remote Shellcode Injector
5CallstackSpoofingPOC. C++ self-Injecting dropper based on various EDR evasion techniques.
5EDR-Preloader. An EDR bypass that prevents EDRs from hooking or loading DLLs into our process by hijacking the AppVerifier layer
5Advanced-Process-Injection-Workshop. C++
5esi-certificate-verify. Keep track of participants from the workshop "Endpoint Security Insights: Shellcode Loaders & Evasion"
3learning-malware-analysis. This repository contains sample programs that mimick behavior found in real-world malware. The goal is to provide source code that can be compiled and used for learning purposes, without having to worry about handling live malware.
3OSCP-Tricks-2023. OSCP 2023 Preparation Guide | Courses, Tricks, Tutorials, Exercises, Machines
3HookDump. Security product hook detection
3Tartarus-TpAllocInject. C++
3Conferences_OtterHacker. C
3NovaLdr. Threadless Module Stomping In Rust with some features (In memory of those murdered in the Nova party massacre)
3learning-reverse-engineering. This repository contains sample programs written primarily in C and C++ for learning native code reverse engineering.
2SysWhispers3. SysWhispers on Steroids - AV/EDR evasion via direct system calls.
2Blindside. Utilizing hardware breakpoints to evade monitoring by Endpoint Detection and Response platforms
2Voidgate. A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
2Jomungand. Shellcode Loader with memory evasion
1Messagebox-Test. PowerShell
1HadesLdr. Shellcode Loader Implementing Indirect Dynamic Syscall , API Hashing, Fileless Shellcode retrieving using Winsock2
1HWSyscalls. HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
1TartarusGate. TartarusGate, Bypassing EDRs
1